On 10/22/07, Jordi Prats <jprats@xxxxxxxx> wrote:
> About this discussion, chkrootkit are for live systems, isn't it?
> There's any tool to do rootkit analysis on a "dead" system?
>
> I'm thinking of check for rootkits on snapshots of the file system of a
> virtual machine to determine if the running virtual machine is compromised.
>
Use -r switch? As long as you can mount the dead system as a (possbily
ro) filesystem, I don't see why not.
Dave
chkrootkit --help
Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
